How do we plan for using the Principle of Least Privilege?
In our growing cloud infrastructure, there are users that need access to resources at an administrator level. How we plan, manage, and monitor these administrator roles will have a direct impact on the security of our cloud infrastructure.
When designing and scoping the company roles for IAM, the principle of least privilege should always be at the forefront of the discussion. This is the concepts that any user or resource only has access to the applications, resources, and information that they require to perform their specific job duties. Anything above that poses a vulnerability and potential threat to the company that sensitive information could be leaked to those that should not be allowed to view.
The scope of IAM is to manage that any user, group, or resource has been properly assigned roles and access that adheres to this principle. This should be properly documented by job title with role assignments, and the roles should be reviewed regularly with department owners to verify that the assignments are still accurate and valid. When we discuss creating users and groups in a later chapter, we will discuss options for creating role assignments in a dynamic, auto-assigned manner, and how to automate the review of these roles.
What is Privilege Identity Management (PIM)?
A major area of Identity Governance that we need to manage is privileged access based on administrative user accounts. As we continue to add and activate these administrative roles within our tenant, we begin to increase the attack surface that someone that gains unauthorized access to a compromised account may have elevated privileges.
As Identity and Access Administrators, it is our duty to protect and defend this layer through utilizing the concepts of zero-trust and principle of least privilege to assign and manage these administrator accounts. You should have a clear strategy with defined job tasks for every administrator user account to plan for proper assignment of these roles. This strategy should include meeting with stakeholders and discussing the roles that each department member requires to complete their job tasks. In addition, you should be monitoring the activity of these accounts and verifying the continued requirement for users to have these privileged access roles.
To enforce the concepts of zero-trust, you have the capability to assign Conditional Access policies to these accounts. To address and protect privileged assignments, Azure AD provides Privileged Identity Management within the Identity Governance solutions.
Privileged Identity Management provides just-in-time privileged access to users. Since users are only provided active administrator roles for a short window of time, this reduces the attack surface and potential for these user accounts from causing exposure to privileged access from an attack. Privileged Identity Management provides an approval and justification process for activating privileged role assignments, which includes notifications when a role is activated and an audit trail of these activations.
Privileged Identity Management (PIM) requires an Azure AD Premium P2 license. To assign PIM to member accounts, each user must have this license. However, for guest users that require privileged access with PIM, five guests can be assigned PIM roles for every one Azure AD Premium P2 license that you have in your tenant.
PIM can be accessed directly by searching for Privileged Identity Management or can be found in the Azure AD Identity Governance tile.